Remote File Inclusions Pose Threat to Web Server Security

New research rings the alarm bell on the risks of Remote File Inclusions, which could be a more pervasive threat to Web server security than even SQL injection.

A common capability on many Web server and content management platforms is the ability to perform Remote File Inclusions (RFIs), which allow users to simply upload an image or a file. Yet RFIs might well be the most pervasive threat on the Web today, according to new research published by cloud security firm Incapsula.
Incapsula examined some 500 million Web sessions to its service over a six-month period and found that 25 percent of them were at risk from an RFI-based attack vector, Marc Gaffan, co-founder of Incapsula, told eWEEK. In contrast, over that same period, only 23 percent of sessions were found to be at risk from SQL injection attacks. In the RFI attack vector, that seemingly innocuous file or image upload in fact includes some form of malicious payload that can potentially enable an attacker to harm a server.
"The number of RFI vulnerabilities is significant," Gaffan said. "The potential damage from RFIs is broader than a SQL injection attack, where the attacker is just going after a database."
In a SQL injection attack, bad code is "injected" into a database, which can then in some cases enable an attacker to extract data. With RFIs, an attacker could potentially gain control of a Website, Gaffan said.

Moving a step further, Incapula's data found that the RFI attackers were going after issues that vendors have patched. For example, the Incapsula report found that 58 percent of RFI attackers were scanning for sites that were at risk from a TimThumb vulnerability, first patched in August 2011. TimThumb is an image-resizing tool that is often used with the popular open-source WordPress content management system.

While the TimThumb RFI vulnerability takes advantage of an issue that was patched two years ago, Incapsula found that 56 percent of RFI links persist for more than 60 days.
"Things are slow to get patched," Gaffan said.

The Fix

One way to help mitigate the risk of RFIs is to make sure that servers and applications are properly patched for known vulnerabilities.

Security services such as the cloud security provided by Incapsula can also provide another potential layer of defense. Incapsula works as a reverse-proxy, which tunnels traffic from an originating server and can provide a degree of security protection against denial-of-service and other threat categories. In the case of RFIs, Incapsula has both a rules-based Web Application Firewall that can limit risk as well as reputation-based intelligence that is gathered from across its customer base. By leveraging the view that it gets from across many customers, patterns emerge that can help identify RFI links and risks.
Overall, the battle against RFI is a cat-and-mouse game, Gaffan said.
"Coders write code to sanitize inputs, and hackers write new shells to exploit applications," Gaffan said. "There is no silver bullet here, with RFIs, there is such a large playing field that the defenders have to cover; that makes it practically impossible to completely cure RFIs."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.